Some idiot is using your tool to mass scan our network

[mzpqnxow]

@vsecades you can close this now, thx

[knightorc]

ditto

146.185.142.70 - - [05/Apr/2020:00:01:06 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:01:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:01:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:01:44 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:02:15 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:02:39 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:02:39 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:02:45 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:02:47 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:03:20 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:03:48 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:04:08 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:04:08 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:04:31 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:04:33 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:04:38 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.65.11.106 - - [05/Apr/2020:00:04:54 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:14 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
103.83.5.41 - - [05/Apr/2020:00:05:16 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:17 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.89.16.121 - - [05/Apr/2020:00:05:21 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
51.68.70.66 - - [05/Apr/2020:00:05:23 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
51.68.70.66 - - [05/Apr/2020:00:05:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:05:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:05:37 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:05:41 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:05:46 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:06:26 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
5.189.176.208 - - [05/Apr/2020:00:06:47 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:07:29 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:07:30 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
146.185.142.70 - - [05/Apr/2020:00:07:50 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
159.65.11.106 - - [05/Apr/2020:00:08:05 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"
173.212.218.126 - - [05/Apr/2020:00:08:20 +0000] "GET / HTTP/1.0" 301 - "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-:80"

[TehVulpes]

I'm willing to bet most of the traffic this repo gets is from people looking through their access logs

Edit: Those commenting on this issue worried about security should really audit their environment over adding their IP to an exclusion list.

[vsecades]

@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.

[jeanpul]

ditto

2020-04-14T07:50:24.481022498Z 5.196.65.217 - - [14/Apr/2020:07:50:24 +0000] "GET / HTTP/1.0" 301 185 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

[mzpqnxow]

@jeanpul @TehVulpes @vsecades @knightorc

Make a PR to https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf

Thanks, you can close this issue now

[BloodBound696]

Wait so I don't understand people... are connecting to this tool and are able to scan networks i'm connected to?

[arubaxi]

Wait so I don't understand people... are connecting to this tool and are able to scan networks i'm connected to?

No, people are just too lazy to mind their networks security so they simply decide to blame random things on earth for that.

OP is able to create the issues with the same subject name as well on nmap, zmap, patator and many other tools repos. It just doesn't matter for them that this tool has zero relevance to their own security issues.

[joseph-giron]

138.197.212.58 - - [06/Jun/2020:12:38:49 +0200] "GET / HTTP/1.0" 301 564 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"

the user of this IP is starting to piss me off nicely.

I don't now how to Make a PR to https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf and what is PR ?

You realize that 'exclude.conf' isnt even called right? Pissing into an ocean of piss.

[mzpqnxow]

@joseph-giron yes, configuration files are specified on the command-line and not hard-coded, so only those performing legitimate surveys of the Internet (possibly wanting to be responsible or respectful of those NOCs who still live in the world of generating abuse complaints when snort tells them to) would be likely to use them. Maybe there are a few script kids out there who are intelligent enough to avoid hitting the small collection of networks on this list to avoid their scans generating abuse complaints that may get their boxes killed, but I guess it's probably a near-zero population

We can all stop pissing. I've finally learned my lesson about answering these sort of issues in hope of them being closed by the individual entering them. They don't seem to be headed towards a conclusion (by Rob or by the initial creator of the issue) so I'll give up

[Unrepentant-Atheist]

Nice!

[joshenders]

"Some idiot" is using his time to spam this repo

[nukeop]

based

[sharoninator]

Sent a field team to neutralize the suspect, so the vulnerability is fixed! This can be closed now

[ramshorst]

Some idiot is using his celebrity to spam this repo

It's called HN ;)

[Enrico204]

@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.

So why don't we close the Internet as it was created without any regard for their misuse?

[odiferousmint]

@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.

Roads are built without any regard for their misuse. What are you thinking of targeting next? nmap?

[anaisbetts]

These are the kind of people who, when someone tries to break into their house, their first thought is apparently "I'm gonna call the crowbar company and give them a piece of my mind!" 🙃

[pry0cc]

I had no idea GitHub comments could be this active.

[riskynacho]

File this under PEBKAC.

[aneutron]

After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.

[rswail]

To all the people that raise an issue like this, the problem is the IP address that is using masscan, not the tool.

So "dig -x IP address" will tell you who owns that IP address. Complain to them.

eg "dig -x 146.185.142.70" returns that IP address with a nameserver at Digital Ocean. So someone has a server hosted there that is scanning. Complain to them.

[aneutron]

@rswail How dare you be reasonable ! It's because of people developing Linux that hackers use their TCP stack to attack our networks !

[gko]

@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.

yes, the creator of hammer also should have thought better

[diego-treitos]

This tool is coded in C, which was unfortunately created without any regard for its misuse. OP should open the bug upstream.

[michaelranaldo]

After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.

We'll threaten the criminals with legal action, that'll stop them!

[egberts]

That should broken up into three steps:

1. Shore up your network defense
2. Call legal
3. Close this issue as WONTFIX

[kaidenshi]

After security by obscurity, and zero-trust, hails a new paradigm: Security by cease and desist. Wonderful.

"I demand to speak to your manager!" ~ @vsecades (aka Karen)

[hyperreality]

This tool is coded in C, which was unfortunately created without any regard for its misuse. OP should open the bug upstream.

It should be rewritten in Rust, which is impossible to misuse.

[rafaelbiriba]

[chrissound]

This project might be a useful solution: https://github.com/chrissound/GitChapter you would be able to write technical documentation around the fix.

[jeanpul]

To all the people that raise an issue like this, the problem is the IP address that is using masscan, not the tool.

So "dig -x IP address" will tell you who owns that IP address. Complain to them.

eg "dig -x 146.185.142.70" returns that IP address with a nameserver at Digital Ocean. So someone has a server hosted there that is scanning. Complain to them.

For Digital Ocean I don't know but OVH don't care about what people do with their server, so they will answer you : "we are not responsible of what people are doing with their server". Moreover International instances never answer to reports. Maybe the best answer is to blacklist IPs as much as possible (maybe countries too).

[Qrbaker]

This project might be a useful solution: chrissound/GitChapter you would be able to write technical documentation around the fix.

Please don't use GitHub issues as an advertising platform.

[rafaelbiriba]

I am in love with this repo! So much fun, reading the issues!

[WhyNotHugo]

I think this project should be banned, people keep misusing it. I think we should also ban knives, killers keep using them to stab people!

[jideel]

Reminds me the attack of the repo men, https://acme.com/software/thttpd/repo.html. Almost 20 years, and they're still around.

[marekr]

I like the one guy in the exclude.conf pulling out his defense contractor epeen. You can just smell the federal standard violations they are covering up by having a guy staring at access logs of their swiss cheese perimeter firewall.

[Zenexer]

This issue has been receive a lot of attention on Hacker News, hence the sudden influx of comments.

[thomasdavis]

You can't ban the inevitable, build the defence.

[MikePadge]

@TehVulpes you have no idea. These tools are unfortunately created without any regard for their misuse.

oh, hello there friend, welcome to the internet. You must be new here. It is a wonderful and exciting place full of wonder (and horror if you go looking for it).

Please, in the future refrain from opening frivilously ridiculous tickets on repos of hardworking individuals who use their own time, sweat and labor to give back to the community.

If you're upset about your network being scanned, may I suggest learning how your firewall works.

[ericol]

Well, this is interesting (as long as something this stupid can be interesting).

Somebody stated what we all already know: That there are a lot of stupid people using available tools for stupid purposes.

But the person that stated this doesn't seem to be any less stupid than any other stupid involved.

[memiux]

[luigimorel]

Real recognizes real. Stupid people recognize stupid people. Err, never mind

[C0deMunk33]

That should broken up into three steps:

1. Shore up your network defense
2. Call legal
3. Close this issue as WONTFIX

Ah yes, the versatile lawyered-up nofix.

[s0urfruit]

"some idiot is trying to blame poor network security on a random tool, on GitHub, since why the f**k not"

should go after nmap m8. they're super bad

[payne747]

if (idiot) return -1;

Fixed it.

[riskynacho]

@vsecades

[vsecades]

@vsecades

Nice. Someone with a sense of humor at least.

[kls0e]

Thanks, you can close this issue now

[s0urfruit]

@vsecades close the issue lmao